JP2007067680A - Authentication apparatus, device to be authenticated, and system for authenticating equipment - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform authentication processing with strong resistance against an attack such as decrypting and transmission data copying, etc., by a third person without introducing a large scale function with a large processing load. <P>SOLUTION: When a video camera (an authentication apparatus) 100 is connected to a battery (a device to be authenticated) 200, data for verification generated in a part 102 for generating data for verification is embedded in base data for authentication generated in a part 101 for generating base data for authentication. Then data for authentication is generated and transmitted from the video camera to the battery. A part 203 for generating response data for verification in the battery generates response data for verification, based on the data for verification. Then response data for authentication with the response data for verification embedded in the base data for response generated in a part 204 for generating the base data for response, is returned to the video camera. The video camera compares the data for verification which is transmitted to the battery with the response data for verification in the response data for authentication, so as to authenticate whether the battery is the legitimate device or not. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an authentication device, a device to be authenticated, and a device authentication system for confirming whether or not a secondary device connected to a main device is a legitimate device (genuine product). The present invention relates to an authentication device, an authenticated device, and a device authentication system for confirming whether or not a battery is a genuine product when connection is detected.

  Conventionally, the secondary device (authenticated device) used by connecting to the main device (authentication device) is a legitimate device (genuine product) determined by the manufacturer in terms of operational reliability, safety, performance, etc. ) Is preferred. For example, when considering a video camera as the main device and a battery that supplies power to the video camera as the sub device, the video camera manufacturer determines the safety, performance, and reliability of the rated voltage and current. It is desirable to use a rechargeable battery.

As described above, as a conventional technique for authenticating devices connected to each other, for example, a technique disclosed in Patent Document 1 below is known. In the technique disclosed in Patent Document 1, in order for the main device to authenticate the sub device, first, a random number is generated, and one of the secret keys of a plurality of different secret keys is used as the encryption key. Then, this random number is encrypted and transmitted to the secondary device. The secondary device has the same key ring as the main device, decrypts the encrypted data using this key ring, takes out the random number, and uses one of the secret keys in the key ring as an encryption key, This random number is encrypted and sent back to the main unit. Then, the main device uses the key ring to decrypt the received reply data to extract a random number, and when a value that matches the first generated random number is obtained, the authentication is passed and the sub device is valid. Judged to be a device.
Japanese Patent Laid-Open No. 11-8618 (FIG. 3)

  However, as in the technique disclosed in Patent Document 1, when encryption processing and decryption processing using a secret key are performed, data transmitted between the main device and the sub device is complicated, Although resistance against attacks such as decryption by a third party and imitation of transmission data is strong, encryption processing and decryption processing using a key has a problem that the processing load is very large.

  For example, in the technique disclosed in Patent Document 1, both the main apparatus and the sub apparatus need to perform complicated operations and perform a plurality of secrets in order to perform data encryption processing and decryption processing. It is necessary to have a non-volatile memory in which a key ring consisting of keys is stored in advance.

  The genuine product authentication process is a pre-process of the original operation by the main device and the sub-device. Therefore, there is a request that the scale of the circuit (or software) is not increased for such pre-processing. In the technology disclosed in Patent Document 1, it is necessary to provide each device with a function for executing complicated operations related to encryption processing and decryption processing, a non-volatile memory for storing a key ring, and the like. is there. Introducing such a large-scale function makes it difficult to reduce the size and weight of each device, reduce the cost, and reduce the processing load on each device. In addition, since encryption processing and decryption processing using a key have a large amount of calculation, the technique disclosed in Patent Document 1 also has a problem that it takes time to determine whether the authentication is passed or failed.

  In view of the above-described problems, the present invention realizes authentication processing having strong resistance to attacks such as decryption by a third party and imitation of transmission data without introducing a large-scale function with a large processing load. An object of the present invention is to provide an authentication device, a device to be authenticated, and a device authentication system.

In order to achieve the above object, according to the present invention, there is provided an authentication device for authenticating whether or not the device to be authenticated is a regular device,
Authentication base data generating means for generating N (N is a natural number) bytes of authentication base data;
Verification data generation means for generating verification data of M (M is a natural number) bytes smaller than N bytes;
Verification data storage means for storing the verification data generated by the verification data generation means;
Based on a predetermined embedding pattern, by embedding the verification data generated by the verification data generation means in the authentication base data generated by the authentication base data generation means, Authentication data generation means for generating;
Authentication data transmitting means for transmitting the authentication data generated by the authentication data generating means to the device to be authenticated;
Authentication response data receiving means for receiving authentication response data of L (L is a natural number) bytes larger than M bytes, which is response data of the authentication data, from the device to be authenticated;
A verification response data extraction unit that extracts M-byte verification response data from the authentication response data received by the authentication response data reception unit based on a predetermined embedding pattern;
Verification response data dividing means for dividing the verification response data extracted by the verification response data extraction means into a plurality of X-bit verification response data having an X (X is a natural number) bit width;
Verification data dividing means for dividing the verification data stored in the verification data storage means into a plurality of X bit verification data having an X bit width;
Any one of addition results obtained by adding a predetermined range of values to arbitrary X-bit verification data, and a bit in the verification data in which the arbitrary X-bit verification data exists Verification means for verifying whether or not the value of the X bit verification response data existing in the bit area in the verification response data corresponding to the area matches,
When the verification results by the verification unit match for all combinations of the X-bit verification data and the X-bit verification response data, it is determined that the device to be authenticated is a regular device and performs operation control. On the other hand, if the verification result does not match for at least one of the combination of the X-bit verification data and the X-bit verification response data, it is determined that the device to be authenticated is not a legitimate device. And an operation control means for controlling the operation of the device to be authenticated not to be performed.
An authentication device is provided.

In order to achieve the above object, according to the present invention, a device to be authenticated that proves that the device is a legitimate device with respect to the authentication device,
Authentication data receiving means for receiving N (N is a natural number) bytes of authentication data from the authentication device;
Verification data extraction means for extracting M (M is a natural number) bytes of verification data smaller than N bytes from the authentication data received by the authentication data reception means based on a predetermined embedding pattern;
Verification data dividing means for dividing the verification data extracted by the verification data extraction means into X-bit verification data consisting of a plurality of bit areas having an X (X is a natural number) bit width;
A plurality of random numbers having values within a predetermined range set in advance are generated, and each of the plurality of random numbers is obtained for each of the plurality of X-bit verification data acquired from the verification data dividing unit. Adding means for adding;
A verification response for generating M-byte verification response data by returning each of the plurality of X-bit verification data added with the random number by the adding means to the bit area divided by the verification data dividing means Data generation means;
Response base data generating means for generating response base data of L (L is a natural number) bytes larger than M bytes;
Based on a predetermined embedding pattern, the authentication response data generated by the verification response data generation unit is embedded in the response base data generated by the response base data generation unit, thereby the authentication Authentication response data generating means for generating authentication response data that is response data of the authentication data;
Authentication response data transmitting means for transmitting the authentication response data generated by the authentication response data generating means to the authentication device;
A device to be authenticated is provided.

In order to achieve the above object, according to the present invention, there is provided a device authentication system including an authentication device that authenticates whether or not the device to be authenticated is a legitimate device, and the device to be authenticated. There,
The authentication device is
Authentication base data generating means for generating N (N is a natural number) bytes of authentication base data;
Verification data generation means for generating verification data of M (M is a natural number) bytes smaller than N bytes;
Verification data storage means for storing the verification data generated by the verification data generation means;
Based on a predetermined embedding pattern, by embedding the verification data generated by the verification data generation means in the authentication base data generated by the authentication base data generation means, Authentication data generation means for generating;
Authentication data transmitting means for transmitting the authentication data generated by the authentication data generating means to the device to be authenticated;
Authentication response data receiving means for receiving authentication response data of L (L is a natural number) bytes larger than M bytes, which is response data of the authentication data, from the device to be authenticated;
A verification response data extraction unit that extracts M-byte verification response data from the authentication response data received by the authentication response data reception unit based on a predetermined embedding pattern;
Verification response data dividing means for dividing the verification response data extracted by the verification response data extraction means into a plurality of X-bit verification response data having an X (X is a natural number) bit width;
Verification data dividing means for dividing the verification data stored in the verification data storage means into a plurality of X bit verification data having an X bit width;
Any one of addition results obtained by adding a predetermined range of values to arbitrary X-bit verification data, and a bit in the verification data in which the arbitrary X-bit verification data exists Verification means for verifying whether or not the value of the X bit verification response data existing in the bit area in the verification response data corresponding to the area matches,
When the verification results by the verification unit match for all combinations of the X-bit verification data and the X-bit verification response data, it is determined that the device to be authenticated is a regular device and performs operation control. On the other hand, if the verification result does not match for at least one of the combination of the X-bit verification data and the X-bit verification response data, it is determined that the device to be authenticated is not a legitimate device. And an operation control means for controlling the operation of the device to be authenticated not to be performed,
The device to be authenticated is
Authentication data receiving means for receiving the authentication data from the authentication device;
Verification data extraction means for extracting the verification data from the authentication data received by the authentication data reception means based on a predetermined embedding pattern;
Verification data dividing means for dividing the verification data extracted by the verification data extraction means into X-bit verification data consisting of a plurality of bit areas having an X-bit width;
A plurality of random numbers having values within a predetermined range set in advance are generated, and each of the plurality of random numbers is obtained for each of the plurality of X-bit verification data acquired from the verification data dividing unit. Adding means for adding;
Verification response data for generating the verification response data by returning the plurality of X-bit verification data added with the random number by the addition means to each of the bit areas divided by the verification data division means Generating means;
Response base data generating means for generating the response base data of L bytes;
Based on a predetermined embedding pattern, the authentication response data generated by the verification response data generation unit is embedded in the response base data generated by the response base data generation unit, thereby the authentication Authentication response data generating means for generating response data for authentication;
An apparatus authentication system is provided that includes authentication response data transmission means for transmitting the authentication response data generated by the authentication response data generation means to the authentication device.

  The present invention has the above-described configuration, and does not introduce a large-scale function with a large processing load, but only with small-scale arithmetic processing, and can attack attacks such as decryption by a third party and imitation of transmission data. On the other hand, it has an effect that authentication processing having strong tolerance can be realized.

  Hereinafter, an authentication apparatus, an apparatus to be authenticated, and a device authentication system according to an embodiment of the present invention will be described with reference to the drawings. In the following, a case where the authentication device in the embodiment of the present invention is a video camera and the authentication target device in the embodiment of the present invention is a battery connected to the video camera will be described as an example. The combination of the device and the device to be authenticated is not limited to this, and any combination of an arbitrary device and a device that operates by being connected to the arbitrary device may be an authentication device and a device to be authenticated. An authentication device can be used. Also, here, the video camera is the authentication device and the battery is the device to be authenticated, but the settings of the main device that is the subject of authentication and the secondary device that is the object to be authenticated are arbitrary. For example, the battery is the authentication device. The video camera may be an authenticated device.

  First, with reference to FIG. 1, functions of a video camera exemplified as an example of an authentication apparatus according to the present invention and a battery exemplified as an example of an authenticated apparatus according to the present invention will be described. FIG. 1 is a functional block diagram schematically showing an example of the functions of the authentication device and the device to be authenticated according to the embodiment of the present invention. FIG. 1 illustrates a video camera 100 and a battery 200 that is connected to the video camera 100 and supplies power. FIG. 1 mainly shows only components related to the functions according to the present invention. Various functions of the video camera 100 and the battery 200 (for example, a CCD (Charge Coupled Devices) camera, an image processing DSP ( A digital signal processor (LCD), a liquid crystal display (LCD), a regulator that controls power supply, and the like are not illustrated.

  A video camera 100 illustrated in FIG. 1 includes an authentication base data generation unit 101, a verification data generation unit 102, an authentication data generation unit 103, a verification data storage unit 104, an authentication data transmission unit 105, and an authentication data. A response data receiving unit 106, a verification response data extracting unit 107, a comparison verification unit 108, and an operation control unit 109 are included. On the other hand, the battery 200 illustrated in FIG. 1 includes an authentication data reception unit 201, a verification data extraction unit 202, a verification response data generation unit 203, a response base data generation unit 204, and an authentication response data generation unit 205. The authentication response data transmission unit 206 is included. The data processing function, data calculation function, data comparison function, etc. represented by each component are realized by hardware such as a circuit and / or software executed by a CPU (Central Processing Unit). Is possible.

  The authentication basic data generation unit 101 of the video camera 100 has a function of generating authentication basic data P. The authentication base data P generated by the authentication base data generation unit 101 is supplied to the authentication data generation unit 103.

  The authentication base data P is data having a predetermined N byte array and the value of each bit being set to 0 or 1 at random. As will be described later, the authentication base data P is data serving as a basis in which the verification data A is embedded, and data constituting a dummy bit for concealing the verification data A necessary for the authentication processing. It is.

  Specifically, for example, when N = 4, the authentication base data P is a 4-byte random bit array illustrated in FIG. Note that FIG. 5 shows an example in which the authentication base data P has a value of “01011011110001010010101011010001”, but for each byte (8 bits) for clarity of illustration. The lines are described separately, and the Y1-Y4 coordinates are set for each line, and the X0-X7 coordinates are set for each column. In the following, when each bit of the authentication base data P is represented, it may be represented by a coordinate expression such as P (X4, Y3).

  The verification data generation unit 102 of the video camera 100 has a function of generating verification data A. The verification data A generated by the verification data generation unit 102 is an authentication data generation unit. 103 and stored in the verification data storage unit 104.

  The verification data A is data having a predetermined M-byte array and the value of each bit being set to 0 or 1 at random. However, the number of bytes M of the verification data A needs to be smaller than the number of bytes N of the authentication base data P. Specifically, for example, when M = 2, the verification base data A is a 2-byte random bit array illustrated in FIG. In FIG. 6, the case where the verification data A has a value of “0110101111100001” is illustrated as an example. However, for the sake of clarity, the verification data A is performed for each byte (8 bits). And the coordinates of Y1 to Y2 are set for each row and the coordinates of X0 to X7 are set for each column. In the following description, each bit of the verification data A may be expressed by a coordinate expression such as A (X5, Y2).

  Further, the authentication data generation unit 103 of the video camera 100 is based on the authentication base data P generated by the authentication base data generation unit 101 and the verification data A generated by the verification data generation unit 102. And a function of generating authentication data Q. The authentication data Q generated by the authentication data generation unit 103 is supplied to the authentication data transmission unit 105.

  The authentication data Q is generated by embedding verification data A in authentication base data P. For example, the authentication data generation unit 103 grasps an embedding pattern predetermined by the specification, and performs the embedding process of the verification data A in the authentication base data P according to the embedding pattern.

  Specifically, for example, an embedding pattern as illustrated in FIG. 7 is predetermined according to the specification. The embedding pattern shown in FIG. 7 schematically shows the positions where the verification data A is replaced by bits in the authentication base data P. Based on the embedding pattern as illustrated in FIG. 7, the authentication data generation unit 103 includes the verification data A illustrated in FIG. 6 in the authentication base data P illustrated in FIG. Perform embedding.

  Thereby, the authentication data generation unit 103 sets the bit value of P (X0, Y1) to the bit value of A (X7, Y1) and the bit value of P (X3, Y1) to the bit of A (X0, Y2). In the value, the bit value of P (X4, Y1) is the bit value of A (X6, Y2), the bit value of P (X6, Y1) is the bit value of A (X1, Y2), and P (X1, Y2) ) Bit value of A (X5, Y2), bit value of P (X2, Y2) to bit value of A (X6, Y1), and bit value of P (X5, Y2) to A (X5 , Y1), the bit value of P (X7, Y2) to the bit value of A (X2, Y1), the bit value of P (X1, Y3) to the bit value of A (X3, Y1), The bit value of P (X3, Y3) is changed to the bit value of A (X2, Y2), and the bit value of P (X5, Y3) is changed to that of A (X0, Y1). The bit value of P (X0, Y4) is the bit value of A (X4, Y2), the bit value of P (X2, Y4) is the bit value of A (X3, Y2), and P (X4 , Y4), the bit value of A (X4, Y1), the bit value of P (X6, Y4), the bit value of A (X7, Y2), and the bit value of P (X7, Y4), A Authentication data Q is generated by substituting each bit value for (X1, Y1).

  As a result, the verification data A is embedded in the authentication base data P. As shown in FIG. 8, 4 bytes having the value “11010011101000000010011101001011011” (the same byte as the authentication base data P) are obtained. Number N) of authentication data Q is generated. For example, since the authentication base data P and the verification data A are generated independently of each other, the bit value 1 of P (X3, Y1) is changed to the bit value of A (X0, Y2) in the above example. There may be a case where the bit value is not substantially replaced as in the case of replacing with 1.

  The verification data storage unit 104 of the video camera 100 has a function of storing the verification data A generated by the verification data generation unit 102. The verification data storage unit 104 stores the verification data A from being generated by the verification data generation unit 102 until being read by the comparison verification unit 108.

  The authentication data transmission unit 105 of the video camera 100 has a function of transmitting the authentication data Q generated by the authentication data generation unit 103 to the battery 200.

  On the other hand, the authentication data receiving unit 201 of the battery 200 has a function of receiving the authentication data Q transmitted from the authentication data transmitting unit 105 of the video camera 100. The authentication data Q received by the authentication data receiving unit 201 is supplied to the verification data extracting unit 202.

  The verification data extraction unit 202 of the battery 200 has a function of extracting verification data A embedded in the authentication data Q received by the authentication data reception unit 201. The verification data extraction unit 202 grasps in advance the embedding pattern (embedding pattern shown in FIG. 7) used by the authentication data generation unit 103 of the video camera 100 when generating the authentication data Q. . Therefore, the verification data extraction unit 202 is illustrated in FIG. 8 by performing a process reverse to the process of embedding the verification data A in the authentication data Q in the authentication data generation unit 103 described above. The verification data A shown in FIG. 6 can be extracted from the authentication data Q. The verification data A extracted by the verification data extraction unit 202 is supplied to the verification response data generation unit 203.

  The verification response data generation unit 203 of the battery 200 has a function of generating verification response data B by executing a predetermined algorithm on the verification data A extracted by the verification data extraction unit 202. have. As the predetermined algorithm executed in the verification response data generation unit 203, it is desirable to adopt, for example, an algorithm that executes the following calculation in consideration of the processing load and processing delay.

  Here, an algorithm executed by the verification data extraction unit 202 of the battery 200 to generate the verification response data B from the verification data A will be described with reference to FIG. FIG. 2 is a flowchart showing an example of an algorithm executed in the authenticated apparatus to generate verification response data B from verification data A in the embodiment of the present invention.

  In FIG. 2, when the verification data A is supplied from the verification data extraction unit 202, the verification response data generation unit 203 divides the verification data A into bytes, and further, data for each byte. Is divided into upper 4 bits and lower 4 bits (step S401). As a result, for example, four pieces of 4-bit data shown in FIG. 9 are generated from the 2-byte verification data A shown in FIG. In the following, among the four data generated from the verification data A shown in FIG. 6, data having a value of “1011” is data A1, data having a value of “0110” is data A2, Data having a value of “0001” is represented as data A3, and data having a value of “1110” is represented as data A4.

  Next, the verification response data generation unit 203 generates, for example, four random numbers r1 to r4 in a range of 1 to 4 (that is, “001” to “100” in bit notation) (Step S403). By adding the random numbers r1 to r4 to each of the data A1 to A4, data B1 = data A1 + random number r1, data B2 = data A2 + random number r2, data B3 = data A3 + random number r3, data B4 = data Four data B1 to B4 of A4 + random number r4 are generated (step S405). For example, when the random number r1 = 4, the random number r2 = 1, the random number r3 = 2, and the random number r4 = 1, the four data A1 to A4 illustrated in FIG. 9 to the four data illustrated in FIG. B1 to B4 (data B1 value “1111”, data B2 value “0111”, data B3 value “0011”, and data B4 value “1111”) are generated. When a carry (carry) exceeding “1111” occurs due to the addition of random numbers r1 to r4, the value of the most significant bit (lower 5th bit) is discarded, and the value of the lower 4 bits is used as the addition result. It is desirable to do.

  After the calculation of the data B1 to B4, the verification response data generation unit 203 performs the reverse process of the process of generating the data A1 to A4 from the verification data A, and combines the data B1 and the data B2. Two 1-byte data are generated by combining the data B3 and the data B4, and further, these two data are combined to generate 2-byte verification response data B (step S407). As a result, the verification response data B shown in FIG. 11 is generated. The verification response data B generated by the verification response data generation unit 203 is supplied to the authentication response data generation unit 205. In FIG. 11, the case where the verification response data B has a value of “0111111111110011” is shown as an example, but for each byte (8 bits), the illustration is clear. The lines are described separately, and the Y1-Y2 coordinates are set for each line and the X0-X7 coordinates are set for each column. In the following description, each bit of the response data for verification B may be expressed by a coordinate expression such as B (X5, Y2).

  In the above example, after the verification data A is divided into four, an algorithm for generating verification response data B by adding random numbers r1 to r4 in the range of 1 to 4 to each 4-bit unit data. For example, the number of divisions of the verification data A is not limited to 4, and the range of the random numbers r1 to r4 is not limited to 1 to 4, for example. Further, the division unit of the verification data A is not limited to the 4-bit width, and the verification data A may be divided into data having different bit widths. Furthermore, the verification response data B may be generated from the verification data A using an arbitrary algorithm different from the above-described algorithm.

  The response base data generation unit 204 of the battery 200 has a function of generating response base data R. The response base data R generated by the response base data generation unit 204 is supplied to the authentication response data generation unit 205.

  The response base data R is data having a predetermined L byte array and the value of each bit being set to 0 or 1 at random. As will be described later, the response base data R is the base data in which the verification response data B is embedded, and constitutes a dummy bit for concealing the verification response data B necessary for the authentication process. It is data to be.

  Specifically, for example, when L = 4, the response base data R is a 4-bit random bit array illustrated in FIG. The response base data R has the same structure as the authentication base data P generated by the authentication base data generation unit 101 of the video camera 100, but the response base data generation unit 204 is unique. Therefore, the value of the response base data R is basically different from the value of the authentication base data P.

  FIG. 12 shows an example in which the response base data R has a value of “010000010100110000010110001001111”, but for each byte (8 bits) for clarity of illustration. The lines are described separately, and the Y1-Y4 coordinates are set for each line, and the X0-X7 coordinates are set for each column. In the following description, each bit of the response base data R may be expressed by a coordinate expression such as R (X4, Y3). In the following description, the number of bytes L of the response base data R is described as the same number of bytes N (= 4) as the authentication base data P and the authentication data Q. L and the number of bytes N of the authentication base data P and the authentication data Q do not have to be the same. However, the number of bytes L of the response base data R needs to be larger than the number of bytes M of the verification response data B.

  In addition, the authentication response data generation unit 205 of the battery 200 includes the verification response data B generated by the verification response data generation unit 203 and the response base data R generated by the response base data generation unit 204. Based on this, the authentication response data S is generated. The authentication response data S generated by the authentication response data generation unit 205 is supplied to the authentication response data transmission unit 206.

  The authentication response data S is generated by embedding the verification response data B in the response base data R. For example, the authentication response data generation unit 205 grasps an embedding pattern predetermined by the specification, and performs the embedding process of the verification response data B in the response base data R according to the embedding pattern.

  Specifically, for example, as in the authentication data generation unit 103 of the video camera 100, an embedding pattern as illustrated in FIG. 7 is predetermined according to the specification, and the generation of authentication data Q (for authentication) As in the case of embedding the verification data A in the base data P), the verification response data B is embedded in the response base data R.

  As a result, the authentication response data generation unit 205 sets the bit value of R (X0, Y1) to the bit value of B (X7, Y1) and the bit value of R (X3, Y1) to B (X0, Y2). In the bit value, the bit value of R (X4, Y1) is the bit value of B (X6, Y2), the bit value of R (X6, Y1) is the bit value of B (X1, Y2), and R (X1, Y2) Y2) is the bit value of B (X5, Y2), the bit value of R (X2, Y2) is the bit value of B (X6, Y1), and the bit value of R (X5, Y2) is B ( X5, Y1) bit value, R (X7, Y2) bit value to B (X2, Y1) bit value, R (X1, Y3) bit value to B (X3, Y1) bit value , R (X3, Y3) is changed to B (X2, Y2), and R (X5, Y3) is changed to B (X0, Y1). The bit value of R (X0, Y4) is the bit value of B (X4, Y2), the bit value of R (X2, Y4) is the bit value of B (X3, Y2), and R (X4 , Y4) to B (X4, Y1) bit value, R (X6, Y4) bit value to B (X7, Y2) bit value, R (X7, Y4) bit value to B The authentication response data S is generated by substituting with the bit values of (X1, Y1).

  As a result, the verification response data B is embedded in the response base data R, and as shown in FIG. 13, 4 bytes having the value of “11011011001011010101001001101111” (the same as the response base data R) Authentication response data S having a number of bytes L) is generated. Here, the authentication response data generation unit 205 is the same as the embedding pattern (embedding pattern shown in FIG. 7) used by the authentication data generation unit 103 of the video camera 100 when generating the authentication data Q. Although the case where the verification response data B is embedded in the response base data R using the embedded pattern to generate the authentication response data S is shown, the embedded pattern used by the authentication response data generation unit 205 is a video. The embedding pattern used by the authentication data generation unit 103 of the camera 100 may be different.

  The authentication response data transmission unit 206 of the battery 200 has a function of transmitting the authentication response data S generated by the authentication response data generation unit 205 to the video camera 100.

  On the other hand, the authentication response data receiving unit 106 of the video camera 100 has a function of receiving authentication response data S, which is a response to the authentication data Q, from the battery 200. The authentication response data S received by the authentication response data receiving unit 106 is supplied to the verification response data extracting unit 107.

  The verification response data extraction unit 107 of the video camera 100 has a function of extracting the verification response data B embedded in the authentication response data S received by the authentication response data reception unit 106. . The verification response data extraction unit 107 uses an embedding pattern (here, the embedding pattern illustrated in FIG. 7) used by the authentication response data generation unit 205 of the battery 200 when generating the authentication response data S. Know in advance. Therefore, the verification response data extraction unit 107 performs a process reverse to the process of embedding the verification response data B in the authentication response data S in the authentication response data generation unit 205 described above, thereby performing FIG. The verification response data B shown in FIG. 11 can be extracted from the authentication response data S shown in FIG. The verification response data B extracted by the verification response data extraction unit 107 is supplied to the comparison verification unit 108.

  Further, the comparison verification unit 108 of the video camera 100 includes the verification data A stored in the verification data storage unit 104 and the verification response data extracted from the authentication response data S by the verification response data extraction unit 107. It has a function of comparing with B and verifying whether or not the verification response data B is correctly generated based on the verification data A.

  Here, referring to FIG. 3, the verification verification data 108 of the video camera 100 executes in order to verify whether the verification response data B is correctly generated based on the verification data A. The algorithm will be described. FIG. 3 shows an example of an algorithm executed by the authentication apparatus for verifying whether or not the verification response data B is correctly generated based on the verification data A in the embodiment of the present invention. It is a flowchart to show.

  In FIG. 3, the comparison verification unit 108 grasps the algorithm executed by the verification response data generation unit 203 of the battery 200, and uses the verification response data B supplied from the verification response data extraction unit 107 as a byte unit. In addition, the data of each byte unit is further divided into upper 4 bits and lower 4 bits to generate the four data B1 to B4 shown in FIG. 10 (step S501). Similarly, the comparison verification unit 108 divides the verification data A read from the verification data storage unit 104 into byte units, and further divides each byte unit data into upper 4 bits and lower 4 bits. Thus, the four data A1 to A4 shown in FIG. 9 are generated (step S503).

  Then, the comparison verification unit 108 verifies each of the data A1 to A4 and each of the data B1 to B4. Specifically, for example, the comparison verification unit 108 sets the variables u and v to u = 1 and v = 1, respectively (steps S505 and S507), and adds and adds the value v to the data Au. The result α is acquired (step S509), and a comparison is made as to whether or not the addition result α matches the value of the data Bu (step S511). For example, in the first calculation, the variables u and v are set to u = 1 and v = 1, respectively. In step S511, whether or not the addition result α = data A1 + 1 matches the value of the data B1. A comparison is made. Note that the value obtained by adding any one of the values 1 to 4 to the data A1 exceeded “1111”, similar to the generation of the data B1 to B4 in the verification response data generation unit 203 of the battery 200. In this case, the value of the most significant bit is truncated, and the lower 4 bits are made valid.

  The verification data A and the verification response data B have the same byte size, and when the data u and the data u have the same variable u, the data Au and the data Bu are the same. It corresponds to the bit area. For example, when u = 1, the data A1 and the data B1 are values of the first 8-bit area of the verification data A and the verification response data B, respectively.

  At this time, if the addition result α does not match the value of the data Bu (“No” in step S511), the value v is incremented by 1 (step S515), and the processes of steps S509 and S511 are performed again. Is called. That is, if the addition result α = data A1 + 1 does not match the value of the data B1, whether or not the addition result α = data A1 + 2 and the data B1 match is compared. Similarly, the same processing is performed when the variable v takes values of 3 and 4. In all cases of v = 1 to 4, the addition result α = data A1 + v and the value of the data B1 do not match. If the variable v has reached 4 in step S513, the verification of the response data B for verification is rejected, the authentication of the battery 200 is rejected, and the comparison verification unit 108 Sends an authentication failure notification to the operation control unit 109 (step S517).

  On the other hand, if the addition result α matches the value of the data Bu (“Yes” in step S511), the verification of the data Bu is regarded as passing and the value u is incremented by 1 (step S521). Then, another data Bu is compared with the data Au for verification.

  Specifically, in the example of the verification data A illustrated in FIGS. 6 and 9 and the verification response data B illustrated in FIGS. 10 and 11, the comparison verification unit 108 first stores the data A1. The value “1100” obtained by adding 1 to the value “1011” is compared with the value “1111” of the data B1. Since these values do not match, the comparison and verification unit 108 further adds a value obtained by adding 1 (a value obtained by adding 2 to the value “1011” of the data A1) “1101” and the value “1111” of the data B1. Compare. Since these values do not match, the comparison / verification unit 108 further calculates a value obtained by adding 1 (a value obtained by adding 3 to the value “1011” of the data A1) “1011” and the value “1111” of the data B1. Compare. Since these values do not match, the comparison verification unit 108 further adds a value obtained by adding 1 (a value obtained by adding 4 to the value “1011” of the data A1) and the value “1111” of the data B1. Compare. Since these values coincide with each other, the comparison verification unit 108 regards the verification of the data B1 as passing, and next performs the same verification regarding the verification of the data B2.

  In all cases where the variable u = 1 to 4, the addition result α = data Au + v (v = 1 to 4) matches the data Bu (that is, the value of the data B1 is the data A1). Within the range of the value obtained by adding 1 to the value of 1 to the value obtained by adding 4 to the value of data A1, the value of data B2 is the value obtained by adding 1 to the value of data A2 to the value obtained by adding 4 to the value of data A2. Within the range, the value of data B3 is the value obtained by adding 1 to the value of data A3 to the value obtained by adding 4 to the value of data A3, the value of data B4 is the value obtained by adding 1 to the value of data A4 to data In the case where all the conditions within the range of the value obtained by adding 4 to the value of A4 are satisfied, it is determined whether or not the variable u has reached 4 in step S519 (that is, data A1 to A4 and data B1 to B4). Judgment whether or not all the correspondence with ) After a, authentication of the battery 200 and pass, comparative verification unit 108, to the operation control unit 109 sends the authentication acceptance notification (step S523).

  Note that when the data B1 to B4 are generated by the verification response data generation unit 203 of the battery 200, values to be added to each of the data A1 to A4 are set to fixed values according to the specifications, and the video camera 100 is compared. It is also possible for the verification unit 108 to verify the match with each of the data B1 to B4 by adding a fixed value to each of the data A1 to A4. On the other hand, as described above, the comparison response data generation unit 203 of the battery 200 adds the values added to the data A1 to A4 to the random numbers r1 to r4 within a predetermined range, and the comparison verification unit 108 When each of B1 to B4 and each of the data A1 to A4 are verified to match with a value obtained by adding a value within a certain range, a plurality of solutions that the authentication of the battery 200 is regarded as passing are established. It will be. In this way, it is difficult to guess the regularity by which a solution that passes the certification is obtained by making the certification regarded as a pass if it conforms to any one of a plurality of solutions. It is possible to prevent the decryption of the algorithm used and the unauthorized creation of authentication data or authentication response data.

  In addition, the operation control unit 109 of the video camera 100 has a function of performing operation control of the video camera 100 in response to an authentication pass or authentication failure notification from the comparison verification unit 108. When the authentication verification notification is received from the comparison verification unit 108, the operation control unit 109 operates the connection between the video camera 100 and the battery 200 so that the power supply from the battery 200 to the video camera 100 is normally performed. Control to be done. On the other hand, when the authentication verification notification is received from the comparison verification unit 108, the operation control unit 109 controls the operation of the video camera 100 or the battery 200 so that power is not supplied from the battery 200 to the video camera 100. And informing that the authentication of the battery 200 has failed. As one form of this notification, for example, as shown in FIG. 14, the fact that an error has occurred in communication between the video camera 100 and the battery 200 is displayed on the display of the video camera 100.

  Next, an example of a communication operation performed between the video camera 100 and the battery 200 according to the present invention will be described with reference to FIG. FIG. 4 is a sequence chart showing an example of the communication operation of the authentication device and the device to be authenticated in the embodiment of the present invention.

  In FIG. 4, the video camera 100 that has detected the physical connection with the battery 200 first generates, for example, 4-byte authentication base data P by the authentication base data generation unit 101 (step S301). The data generation unit 102 generates, for example, 2-byte verification data A (step S303). The authentication base data P and verification data A are sent to the authentication data generation unit 103, and the verification data A is stored in the verification data storage unit 104 (step S305).

  Next, as described above, the authentication data generation unit 103 of the video camera 100 embeds the verification data A in the authentication base data P based on the embedding pattern determined by the specification, and thereby generates 4-byte authentication data. Q is generated (step S307), and the authentication data Q is transmitted from the authentication data transmission unit 105 to the battery 200 (step S309).

  When the authentication data receiving unit 201 receives the authentication data Q transmitted from the video camera 100 in step S309, the verification data extraction unit 202 receives the authentication data Q based on the embedded pattern defined by the specification. The verification data A is extracted from the verification data A (step S311), and the verification response data generation unit 203 performs an operation on the extracted verification data A according to a predetermined algorithm to obtain the 2-byte verification response data B. Generate (step S313). For example, as described above, the verification response data B is obtained by dividing the verification data A into four units in units of 4 bits and a predetermined range (1 to 4) with respect to the four divided 4-bit units. Are added to the 2-byte data again.

  Further, the battery 200 generates, for example, 4-byte response base data R by the response base data generation unit 204 (step S315). Then, the authentication response data generation unit 205 of the battery 200 uses the embedding pattern defined by the specification as described above (this embedding pattern may be different from the embedding pattern referred to in steps S307 and S311). The verification response data B is embedded in the response base data R to generate 4-byte authentication response data S (step S317), and the authentication response data S is sent from the authentication response data transmission unit 206 to the video camera. 100 (step S319).

  The video camera 100 that has received the authentication response data S transmitted from the battery 200 in step S319 by the authentication response data receiving unit 106 is authenticated by the verification response data extracting unit 107 based on the embedding pattern defined by the specification. The verification response data B is extracted from the response data S (step S321). The comparison verification unit 108 of the video camera 100 compares and verifies the verification data A stored in the verification data storage unit 104 in step S305 and the verification response data B extracted by the verification response data extraction unit 107. Thus, it is determined whether or not the verification response data B is generated based on the verification data A, and the battery 200 is authenticated (step S323). In the verification of the verification response data B, for example, as described above, the verification data A and the verification response data B are each divided into four in units of 4 bits, and the data A1 to A4 and the data B1 to B4 are divided. It is determined whether or not each of the data B1 to B4 matches any one of the values obtained by adding 1 to 4 to each of the data A1 to A4.

  Then, the comparison verification unit 108 determines whether the battery 200 is authenticated or not, and the operation control unit 109 controls the operation of the video camera 100 and / or the battery 200 according to the authentication result (step S325). .

  As described above, according to the embodiment of the present invention, when authentication processing is performed between the authentication device and the device to be authenticated, the authentication device and the device to be authenticated execute simple arithmetic processing. As a result, data can be generated and verified. Further, based on a predetermined embedding pattern, the data (verification data A or verification response) required for the authentication process in the basic data (authentication basic data P or response basic data R) constituting the dummy bits. By embedding data B), data transmitted between the authentication device and the device to be authenticated (authentication data Q or authentication response data S) is generated so that a third party can perform authentication processing. It becomes possible to make it difficult to steal necessary data. Further, for example, the device to be authenticated generates verification response data B by adding a random number within a predetermined range to data obtained by dividing verification data A into four bits in units of 4 bits. It is possible to generate a range of verification response data B instead of generating the verification response data B uniquely corresponding to the verification data B. When generating the verification response data B from the verification data A It is possible to prevent regularity from being easily deciphered.

  The present invention does not introduce a large-scale function with a large processing load, but only with a small-scale calculation process, and an authentication process having strong resistance to attacks such as decryption by a third party and imitation of transmission data Therefore, the present invention can be applied to an authentication processing technique for confirming whether or not the secondary device connected to the main device is a regular device (genuine product).

It is a functional block diagram which shows typically an example of the function which the authentication apparatus in embodiment of this invention and a to-be-authenticated apparatus have. 4 is a flowchart illustrating an example of an algorithm executed by an authenticated device to generate verification response data B from verification data A in the embodiment of the present invention. 6 is a flowchart illustrating an example of an algorithm executed by the authentication apparatus to verify whether verification response data B is correctly generated based on verification data A in the embodiment of the present invention. . It is a sequence chart which shows an example of communication operation | movement of the authentication apparatus and to-be-authenticated apparatus in embodiment of this invention. It is a figure which shows an example of the authentication basic data P produced | generated with the authentication apparatus in embodiment of this invention. It is a figure which shows an example of the data A for verification produced | generated with the authentication apparatus in embodiment of this invention. It is a figure which shows an example of the embedding pattern used at the time of the production | generation of the data for authentication Q with the authentication apparatus in embodiment of this invention. It is a figure which shows an example of the data for authentication Q produced | generated with the authentication apparatus in embodiment of this invention. It is a figure which shows an example of the data A1-A4 which the verification data A produced | generated with the to-be-authenticated apparatus in embodiment of this invention divided | segmented into 4 bits. It is a figure which shows an example of the data B1-B4 which added the random numbers r1-r4 to the data A1-A4 produced | generated with the to-be-authenticated apparatus in embodiment of this invention. It is a figure which shows an example of the response data for verification B produced | generated by the to-be-authenticated apparatus in embodiment of this invention. It is a figure which shows an example of the response base data R produced | generated by the to-be-authenticated apparatus in embodiment of this invention. It is a figure which shows an example of the response data S for authentication produced | generated by the to-be-authenticated apparatus in embodiment of this invention. It is a figure which shows an example of the display screen displayed on a display, when authentication of a to-be-authenticated apparatus ends in the authentication apparatus in embodiment of this invention.

Explanation of symbols

100 Video camera (authentication device)
DESCRIPTION OF SYMBOLS 101 Authentication basic data generation part 102 Verification data generation part 103 Authentication data generation part 104 Verification data storage part 105 Authentication data transmission part 106 Authentication response data reception part 107 Verification response data extraction part 108 Comparison verification part 109 Operation control unit 200 Battery (device to be authenticated)
201 Authentication Data Receiving Unit 202 Verification Data Extraction Unit 203 Verification Response Data Generation Unit 204 Response Base Data Generation Unit 205 Authentication Response Data Generation Unit 206 Authentication Response Data Transmission Unit

Claims (3)

An authentication device that authenticates whether or not the device to be authenticated is a legitimate device,
Authentication base data generating means for generating N (N is a natural number) bytes of authentication base data;
Verification data generation means for generating verification data of M (M is a natural number) bytes smaller than N bytes;
Verification data storage means for storing the verification data generated by the verification data generation means;
Based on a predetermined embedding pattern, by embedding the verification data generated by the verification data generation means in the authentication base data generated by the authentication base data generation means, Authentication data generation means for generating;
Authentication data transmitting means for transmitting the authentication data generated by the authentication data generating means to the device to be authenticated;
Authentication response data receiving means for receiving authentication response data of L (L is a natural number) bytes larger than M bytes, which is response data of the authentication data, from the device to be authenticated;
A verification response data extraction unit that extracts M-byte verification response data from the authentication response data received by the authentication response data reception unit based on a predetermined embedding pattern;
Verification response data dividing means for dividing the verification response data extracted by the verification response data extraction means into a plurality of X-bit verification response data having an X (X is a natural number) bit width;
Verification data dividing means for dividing the verification data stored in the verification data storage means into a plurality of X bit verification data having an X bit width;
Any one of addition results obtained by adding a predetermined range of values to arbitrary X-bit verification data, and a bit in the verification data in which the arbitrary X-bit verification data exists Verification means for verifying whether or not the value of the X bit verification response data existing in the bit area in the verification response data corresponding to the area matches,
When the verification results by the verification unit match for all combinations of the X-bit verification data and the X-bit verification response data, it is determined that the device to be authenticated is a regular device and performs operation control. On the other hand, if the verification result does not match for at least one of the combination of the X-bit verification data and the X-bit verification response data, it is determined that the device to be authenticated is not a legitimate device. And an operation control means for controlling the operation of the device to be authenticated not to be performed.
Having an authentication device. An authenticated device that proves that the device is a legitimate device with respect to the authentication device,
Authentication data receiving means for receiving N (N is a natural number) bytes of authentication data from the authentication device;
Verification data extraction means for extracting M (M is a natural number) bytes of verification data smaller than N bytes from the authentication data received by the authentication data reception means based on a predetermined embedding pattern;
Verification data dividing means for dividing the verification data extracted by the verification data extraction means into X-bit verification data consisting of a plurality of bit areas having an X (X is a natural number) bit width;
A plurality of random numbers having values within a predetermined range set in advance are generated, and each of the plurality of random numbers is obtained for each of the plurality of X-bit verification data acquired from the verification data dividing unit. Adding means for adding;
A verification response for generating M-byte verification response data by returning each of the plurality of X-bit verification data added with the random number by the adding means to the bit area divided by the verification data dividing means Data generation means;
Response base data generating means for generating response base data of L (L is a natural number) bytes larger than M bytes;
Based on a predetermined embedding pattern, the authentication response data generated by the verification response data generation unit is embedded in the response base data generated by the response base data generation unit, thereby the authentication Authentication response data generating means for generating authentication response data that is response data of the authentication data;
Authentication response data transmitting means for transmitting the authentication response data generated by the authentication response data generating means to the authentication device;
A device to be authenticated. An authentication device that performs authentication as to whether or not the device to be authenticated is a legitimate device, and a device authentication system that includes the device to be authenticated,
The authentication device is
Authentication base data generating means for generating N (N is a natural number) bytes of authentication base data;
Verification data generation means for generating verification data of M (M is a natural number) bytes smaller than N bytes;
Verification data storage means for storing the verification data generated by the verification data generation means;
Based on a predetermined embedding pattern, by embedding the verification data generated by the verification data generation means in the authentication base data generated by the authentication base data generation means, Authentication data generation means for generating;
Authentication data transmitting means for transmitting the authentication data generated by the authentication data generating means to the device to be authenticated;
Authentication response data receiving means for receiving authentication response data of L (L is a natural number) bytes larger than M bytes, which is response data of the authentication data, from the device to be authenticated;
A verification response data extraction unit that extracts M-byte verification response data from the authentication response data received by the authentication response data reception unit based on a predetermined embedding pattern;
Verification response data dividing means for dividing the verification response data extracted by the verification response data extraction means into a plurality of X-bit verification response data having an X (X is a natural number) bit width;
Verification data dividing means for dividing the verification data stored in the verification data storage means into a plurality of X bit verification data having an X bit width;
Any one of addition results obtained by adding a predetermined range of values to arbitrary X-bit verification data, and a bit in the verification data in which the arbitrary X-bit verification data exists Verification means for verifying whether or not the value of the X bit verification response data existing in the bit area in the verification response data corresponding to the area matches,
When the verification results by the verification unit match for all combinations of the X-bit verification data and the X-bit verification response data, it is determined that the device to be authenticated is a regular device and performs operation control. On the other hand, if the verification result does not match for at least one of the combination of the X-bit verification data and the X-bit verification response data, it is determined that the device to be authenticated is not a legitimate device. And an operation control means for controlling the operation of the device to be authenticated not to be performed,
The device to be authenticated is
Authentication data receiving means for receiving the authentication data from the authentication device;
Verification data extraction means for extracting the verification data from the authentication data received by the authentication data reception means based on a predetermined embedding pattern;
Verification data dividing means for dividing the verification data extracted by the verification data extraction means into X-bit verification data consisting of a plurality of bit areas having an X-bit width;
A plurality of random numbers having values within a predetermined range set in advance are generated, and each of the plurality of random numbers is obtained for each of the plurality of X-bit verification data acquired from the verification data dividing unit. Adding means for adding;
Verification response data for generating the verification response data by returning the plurality of X-bit verification data added with the random number by the addition means to each of the bit areas divided by the verification data division means Generating means;
Response base data generating means for generating the response base data of L bytes;
Based on a predetermined embedding pattern, the authentication response data generated by the verification response data generation unit is embedded in the response base data generated by the response base data generation unit, thereby the authentication Authentication response data generating means for generating response data for authentication;
A device authentication system comprising: an authentication response data transmission unit configured to transmit the authentication response data generated by the authentication response data generation unit to the authentication device.

Images